You are currently viewing Protection and Infringement of Personal Data

Protection and Infringement of Personal Data

  • Post category:Personal Data
  • Reading time:12 mins read

As we have already defined personal data as information that identifies a natural person, it’s time to look at how it is protected.

It goes without saying that updating your website’s Privacy Policy is the first step in ensuring invaluable protection for both you and your users against breaches.

What will we touch on in this post?

But what is an infringement of personal data?

First, let’s see what counts as an infringement of personal data.

In broad terms, we could define it as not showing the required respect for someone’s right to keep their personal data (such as their name, age, address, profession, etc.) secret and manage it in an exclusive manner and at their discretion.

This infringement could result in the loss, destruction or disclosure of the data to third parties.

Some data infringement examples:

  • Google infringed the privacy laws of minors
  • Zoom provided data to third parties without users’ prior knowledge
  • Facebook paid a fine for its involvement in the collection of personal data for Cambridge Analytica
Icon that appears when an Apple app uses personal information
Data infringement example

In order to avoid data infringements similar to those we mentioned above, we use specific mechanisms provided by the protective legislation. This includes:

  • The GDPR (EU) 2016/679 that shields citizens against personal data infringement in general
  • Law 4624/2019 with measures for implementing the GDPR and incorporating Directive (EU) 2016/680 into Greek law
  • Law 3471/2006 which includes the Directive 2002/58/EC of the European Parliament and covers protection in the field of electronic services in Greece
  • Regulation (EU) 2018/1725 of the European Parliament
  • Law 2472/1997, which was repealed, except for the articles provided for in article 84 of Law 4624/2019 mentioned above

Besides the national and European legislation that provide a satisfactory level of privacy protection in the electronic world, two more institutions guarantee our safe navigation and use of online platforms:

  1. The Data Protection Officer of the European Parliament (DPO). Their main responsibility is to keep records of all processing operations of personal data carried out by the European Commission. These records must indicate the purpose and conditions of all processing operations and must be easily accessible to everyone. With regard to private websites, the DPO assists the controller or processor by facilitating their compliance with the provisions of the GDPR (identifying discrepancies and explaining the regulation) and mediating between different stakeholders (e.g. supervisory authorities, users). Their role is merely advisory and they are not responsible for the company’s non-compliance with the law. The position is adequately described in Articles 37, 38 and 39 of the Regulation.
  2. The European Data Protection Supervisor (EDPS) is the main independent authority for the protection of personal data in the European Union, consisting of an appointed Supervisor supported by a fully trained team of experts with the aim of not only ensuring the enforcement of legislation in the EU institutions, but also advising on security issues in the electronic world. The supervisor also cooperates with national authorities of Member States to achieve consistent protection across the Union.

What are the user’s rights?

Now, let’s look more closely at some of the protective measures that we draw from the legal framework we listed above. These measures are governed at all times by the principle of transparency (Article 12 of the GDPR) and the principle of accountability (Article 5 of the same law), making it mandatory for the company to inform users frequently and in detail about its actions.

  • Taking Article 38 of the GDPR as our basis, data subjects can contact the Data Protection Officer directly for any issue related to the processing of their data and the exercise of their rights

  • Right to lodge a complaint. Based on Article 77 of the GDPR, users can lodge a complaint with a supervisory authority in the principle of their permanent place of residence or work or the place of the infringement. Example: stealing information for advertising purposes

  • Right to an effective judicial remedy. According to Article 78 of the GDPR, any citizen or business has a right to a judicial remedy against a decision taken by the supervisory authority to which they have made a complaint, in order to overturn it or to obtain further reasons for the authority’s opinion on the matter. The person involved also has the same right against the controller or processor according to Article 79 of the GDPR.

  • Right of representation The data subject can entrust a non-profit organisation, or another type of association active in the field of protection of individual rights and freedoms, with the exercise of their rights, and according to Article 80 of the GDPR the organisation itself can submit a complaint under Articles 78 and 79 to the competent authority if it detects a personal data infringement.

  • Right to compensation and liability In view of Article 82 of Regulation (EU) 2016/679, anyone who has suffered material or non-material damage as a result of an infringement (e.g. an infringement of a person’s honour and dignity whose details of their sex life have been made public against their will) may claim compensation from the controller or processor respectively to cover the damage suffered.

  • Right to access and data portability. It is crucial that users have immediate and free access to their data, even if it is only after a request to the company, and that they are informed whether it is being processed. If they are actually being processed, then they must be informed of how and why they are being processed and who the recipients of the personal data are. Additionally, if the user has given their consent, they can also demand the return of their data or its direct transfer to a third party company. This is the so-called right to portability.

  • Right to rectification and right to object. It is also possible for the data subject to request the correction or completion of the data already provided if they consider it to be incorrect or incomplete. Moreover, they have the right to object to the processing of their personal data for only a specific use by the company at any time, resulting in its immediate suspension. The same applies if the user only wants limited processing. Example: in the case of purely commercial marketing, you as a company are always obliged to stop the processing of personal data.
Commercial marketing and the process of personal data
  • Right to erasure or in other words right to be forgotten. There are cases where the user may request that their data is deleted from a platform, such as when it is not necessary for the achievement of the company’s purpose.

Attention! The company is not obliged to accept the request if:

  1. the processing is carried out as a means of defending freedom of expression and information
  2. for reasons of public interest, e.g. public health or scientific research
  3. collecting the data is necessary for compliance with legal obligations or for the establishment of legal claims, e.g. evidence in a criminal investigation

Can we as users take some simple steps to protect ourselves?

Yes we can! Specifically we can:

  • try to share less personal information online
  • use strong and unique passwords when registering on platforms
  • frequently check the Privacy Settings on our profiles
  • not ignore software updates

Author

Efi-Kwstopoulou
Efi Kostopoulou
Lawyer